Sunday, May 10, 2015

Today we are going to take a look at a particularly unpleasant type of malicious software that encrypts your data and appends the .exx extension to file names. Ladies and gentleman, allow me to introduce you to ransomware. In this case it's a new variant of TeslaCrypt ransomware. At the beginning of this month I wrote about Alpha Crypt ransomware which is a slightly modified version of TeslaCrypt. And now, we have a new or slightly modified variant that uses the .exx extension. It's detected as Win32/Filecoder.EM or Win32/Filecoder.ER by some anti-virus engines. But other than that the only difference is the file extension. If your computer is infected with this ransomware you will notice that your files changed to *.pdf.exx, *.avi.exx, *.jpeg.exx, *.docx.exx, *.xls.exx, etc. The ransom will likely change your wallpaper with information and links on how to get your files back. There might also see a decryptor window with the same information.

Taking a more in depth look at .exx ransomware

Ransomware is among the types of malware that is looking to make a dent in your bank account by conning you out of your hard earned cash. In this instance it demands a ransom in return for releasing your data that it has held hostage, or the ability to use your computer.

It does a number of things to coerce you into parting with your money. Here are the most common ones:

It can change your default browser settings so that you have trouble accessing the internet. This has the double pronged benefit (for the attacker) of not only frustrating you into paying the ransom but it also makes it harder for you to find a resolution to get rid of it.

Ransomware can also disable your files and documents by encrypting them. As you already know, it encrypts your files and appends the .exx extension. That's the only thing you can use to identify which ransomware do you have on your computer. In other words, holding them hostage until you pay the ransom. The warning sent by the attacker, either by email or displayed on your screen, will state that they will send you a code that you can key in, in order to deactivate the ransomware and release the data. However, this is often not the case and you will be quite literally paying (a not inconsiderable amount) of money for absolutely nothing. Ransom notes are usually HELP_TO_SAVE_FILES.txt and HELP_TO_DECRYPT_YOUR_FILES.txt. You can wind the in each folder with at least one encrypted file.

Some types of ransomware are designed to look like antivirus software and will display a pop-up warning saying that your PC is infected with a virus or malware. It will scare you into paying to install the program so that it can clean your machine. Of course, it’s not going to alert you to its own presence, so again, you will be paying for a fake scan, fake viruses, and a software program that does absolutely nothing.

One of the main issues with ransomware is that is can be extremely difficult to remove – sometimes even impossible, which is why it is important that you back your files and data up on a regular basis. Having this saved and stored on a hard drive or another computer makes you less likely to cave in and pay any ransom that is demanded of you.

So I shouldn't pay a ransom?

If you've been infected by ransomware that uses the .exx extension to make your files inaccessible, no, you really should not pay a release fee. Firstly, by giving in to cyber criminals, you are only convincing them that they are in the right line of business. Secondly, chances are, as mentioned, you are paying for thin air. There's no guarantee that they will decrypt your files. At the time I was analyzing this rabsomware, cyber criminals demanded to pay 2.2 Bitcoins which is more than $500. The decryption service can be accessed by using Web to Tor services: dlosrngis35.com, anfeua74x36.com, tor2web.blutmagie.de. Cyber criminals wrote a very detail guide on how to buy bitcoins and even made a support ticket system in case you have any questions.

How to get my files back?

If you have a recent backup, wipe your hard disk and reinstall your files. If you don't, try Shadow Explorer program or search your computer for previous versions of files. If you are lucky enough you may find files that were not encrypted and renamed to .exx. But before restoring your files, please remove the ransomware and related malware files from your computer. Otherwise, you will simply waste your time. If you have any questions, please leave a comment down below. Good luck and be safe online!

Before restoring your files from shadow copies, make sure the ransomware is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

7
comments:

@Raul, unfortunately, some versions of this ransomware strip the master key from the key.dat. If the decryption tool can't find the key.dat or the master key then it will not be able to help you. I can only suggest you to try other tools or wait for the decryption tool to be updated.

Blog Archive

Blogroll

Rate This Blog or Leave a Review

About Me

Hi there, and welcome to my humble web presence. I'm Michael Kaur. Malware squasher, geek, and blogger based in Los Angeles, CA. If you'd like to contact me, the easiest way is through email given below or Google+. Simply add me to your Google Plus circles.

DisclaimerThis is a self-help guide. Use at your own risk. Deletemalware.blogspot.com can not be held responsible for problems that may occur by using this information.

About the blogThis blog provides reliable information about the latest computer security threats including spyware, adware, browser hijackers, Trojans and other malicious software. We do NOT host or promote any malware (malicious software). We just want to draw your attention to the latest viruses, infections and other malware-related issues. The mission of this blog is to inform people about already existing and newly discovered security threats and to provide assistance in resolving computer problems caused by malware.